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V. Summary of Claimed Subject Matter - 37 C.F.R. § 4L37(c)(l)(v) 
A. Features of the Invention 

A method and system for handling data packets at a logical borderline that 
separate an untrusted packet-switched information network from a protected domain in 
an efficient and secure manner is provided. 

The conventional way of protecting a protected domain against hostile attacks 
from an insecure external information network is to route all data packets transmitted 
therebetween through a so-called firewall. A conventional a firewall may utilize a packet 
processor, which filters packets on the basis of the packet header information depending 
on a set of filtering rules defined by the network supervisor. Alternatively, a firewall 
may utilize an application gateway, which monitors the packets on the basis of their 
compliance with a certain protocol in order to decide whether a certain connection 
proceeds according to that protocol. 

A packet processor is fast, but inefficient in filtering undesired packets. An 
application gateway, on the other hand, is effective in detecting and filtering undesired 
packets, but requires a great deal of computational effort which can cause delay in 
processing the packets. The present application describes a system and method that 
provides the level of security of an application gateway while avoiding the long delays 
typically caused by the application gateway. Such is achieved by providing a packet 
processor as well as an application gateway within a firewall computer, where the packets 
are first examined by the packet processor, which examines the packets to determine if 
they are associated with the certain protocol that the protocol-specific application 
gateway handles and, if so, redirects those packets to the application gateway for 
processing. As a result, the application gateway only those packets that are associated 
with its protocol and the packet processor processes all the other packets. Accordingly, 
the firewall benefits from the security of the application gateway without undue delays in 
processing unassociated packets. 

The packets can be directed from the packet processor to the application gateway 
in a variety of signaling schemes. One embodiment of the present invention utilizes 
NATting (Network Address Translations), which is a method generally known in the art. 
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In NATting, the destination information field of the packet is replaced with the address of 
the application gateway, so that the packet is redirected to the application gateway. Since 
the NATted packet received by the application gateway no longer contains the original 
destination address of the packet, such information is signaled from the packet processor 
to the application gateway. The application gateway then uses the original destination 
address along with the packet to process the packet. 

Instead of replacing the original destination address with the address of the 
application gateway, in another embodiment of the present invention, the address of the 
application gateway is prepended as a separate header to the packet at the packet 
processor and used to direct the packet to the application gateway. Thereafter, the 
prepended header is stripped from the packet and the packet is processed at the 
application gateway. 

B. The Independent Claims on Appeal - Claims 1, 39, 41, 43, 47, 51, 53, 62, 
64, 66, 68, 69, 71 and 73 

The following explanation of the claimed subject matter, with reference to the 
specification and drawings of the instant application, is by way of example and for 
explanation only. The invention is not limited to the disclosed embodiments, and certain 
elements may be found in more than one of the disclosed embodiments. 

Claim 1 recites a method for handling digital data packets at a logical borderline 
103 (i.e. a firewall device) that separates an untrusted packet-switched information 
network 101 (e.g. the internet) from a protected domain 102 (i.e. a private packet- 
switched information network), as depicted in FIG. 1 . The logical borderline includes a 
packet processor 1 10 and an application gateway 111. Please see FIG. 1 and page 8, 
lines 1-9. The method of claim 1 comprises the steps of intercepting a packet that is in 
transit between the untrusted packet-switched information network 101 and the protected 
domain 102 at the packet processor 110 and examining the packet at the packet processor 
1 10 to determine whether it contains digital data that pertains to a certain protocol. 
Please see FIG. 2, page 8, lines 20-28, and page 9, line 18 through page 10, line 17. If 
the packet does not contain digital data that pertain to the certain protocol, the packet 
processor 1 10 processes the packet. Id. However, if the packet contains digital data that 



2 



pertain to the certain protocol, the packet is redirected to an application gateway part 1 1 1 
and processed there according to a set of processing rules based on obedience to the 
certain protocol. Id. Claim 1 also recites a limitation that the packet processor 1 10 is a 
kernel mode process running in a computer device and the application gateway 111 is a 
user mode process running in a computer device. Please see page 8, line 34 to page 9, 
line 14. 

Claim 39 recites features similar to claim 1, except that it recites in more detail 
the process of redirecting the packet from the packet processor 1 10 to the application 
gateway 1 1 1 according to one embodiment of the present invention. A recited in claim 
39, if the packet contains digital data that pertain to a certain protocol, the original value 
of a certain destination information field within the packet is replaced with a replacement 
value that identifies an application gateway part as the destination of the packet, and 
redirecting the packet to the application gateway part 111. Please see page 6, lines 21-27. 
The packet processor 110 then indicates to the application gateway 1 1 1 the original value 
of the destination information field found in the packet at the moment of intercepting the 
packet at the packet processor part. Finally, the indicated original value of the destination 
information field is used at the application gateway 1 1 1 in processing the packet 
according to a set of processing rules based on obedience to its certain protocol. Please 
see page 6, line 29 - page 7, line 1 and page 14, line 29 - page 1 5, line 2. Also, unlike 
claim 1, claim 39 does not recite the packet processor 110 being a kernel mode process 
and the application gateway 1 1 1 being a user mode process. 

Claim 41 also recites features similar to claim 1, except that it recites the process 
of redirecting the packet from the packet processor 1 10 to the application gateway 1 1 1 
according to the second embodiment of the present invention. As recited in claim 41, if 
the packet contains digital data that pertain to a certain protocol, a header is prepended to 
the packet at the packet processor 110, the prepended header containing a value that 
identifies an application gateway 111 as the destination of the packet, and the packet is 
redirected to the application gateway 111. Pleas see page 17, lines 10-16. The prepended 
header is then stripped from the packet at the application gateway 1 1 1 and the original 
value of the destination information field in the packet is used at the application gateway 
1 1 1 in processing the packet according to a set of processing rules based on obedience to 
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its certain protocol. Please see page 17, lines 16-21. Also, similar to claim 39, claim 41 
does not recite the packet processor 110 being a kernel mode process and the application 
gateway 1 1 1 being a user mode process. 

Claim 43 and 47 includes limitations similar to claim 39 and 41, respectively, but 
recite "a method for handling digital data packet at a packet processing entity located at a 
logical borderline ..." (emphasis added). Similarly, claim 51 includes limitations similar 
to claim 39, but recites "a method for handling digital data packet at an application 
gateway entity located at a logical borderline ..." (emphasis added). 

Claim 53 includes feature similar to claim 1 recited in the form of system. 
Similarly, claims 62, 64, 66, 68, 69, 71 and 73 variously include features similar to 
claims 1, 39, 41, 43 or 47, recited in form of a system, device, or software program 
product. 



4 



